feat: add support for SCTP

damex · aauren · commit 39efb9230c06 · 2026-03-09T19:42:08.000-10:00
includes workaround for musl hardcoded protocol table that is missing SCTP support by using protocol name to numeric value mapping in ipset entries closes: #1019 Signed-off-by: Roman Kuzmitskii <roman@damex.org>
diff --git a/pkg/controllers/netpol/network_policy_controller.go b/pkg/controllers/netpol/network_policy_controller.go
@@ -516,6 +516,19 @@ func (npc *NetworkPolicyController) ensureTopLevelChains() {
 		ensureRuleAtPosition(handler,
 			kubeInputChainName, whitelistUDPNodeports, uuid, rulePosition[family])
 		rulePosition[family]++
+
+		whitelistSCTPNodeports := []string{"-p", "sctp", "-m", "comment", "--comment",
+			"allow LOCAL SCTP traffic to node ports", "-m", "addrtype", "--dst-type", "LOCAL",
+			"-m", "multiport", "--dports", npc.serviceNodePortRange, "-j", "RETURN"}
+		uuid, err = addUUIDForRuleSpec(kubeInputChainName, &whitelistSCTPNodeports)
+		if err != nil {
+			klog.Fatalf("Failed to get uuid for rule: %s", err.Error())
+		}
+		klog.V(2).Infof("Allow SCTP traffic to ingress towards node port range: %s for family: %s",
+			npc.serviceNodePortRange, family)
+		ensureRuleAtPosition(handler,
+			kubeInputChainName, whitelistSCTPNodeports, uuid, rulePosition[family])
+		rulePosition[family]++
 	}
 
 	for idx, externalIPRange := range npc.serviceExternalIPRanges {
diff --git a/pkg/controllers/netpol/network_policy_controller_test.go b/pkg/controllers/netpol/network_policy_controller_test.go
@@ -436,6 +436,8 @@ func TestNetworkPolicyBuilder(t *testing.T) {
 	port, port1 := intstr.FromInt(30000), intstr.FromInt(34000)
 	ingressPort := intstr.FromInt(37000)
 	endPort, endPort1 := int32(31000), int32(35000)
+	sctpPort := intstr.FromInt(36000)
+	sctpProto := v1.ProtocolSCTP
 	testCases := []tNetpolTestCase{
 		{
 			name: "Simple Egress Destination Port",
@@ -530,6 +532,58 @@ func TestNetworkPolicyBuilder(t *testing.T) {
 				"-A KUBE-NWPLCY-2UTXQIFBI5TAPUCL -m comment --comment \"rule to ACCEPT traffic from source pods to all destinations selected by policy name: simple-egress-pr namespace nsA\" --dport 34000:35000 -j MARK --set-xmark 0x10000/0x10000 \n" +
 				"-A KUBE-NWPLCY-2UTXQIFBI5TAPUCL -m comment --comment \"rule to ACCEPT traffic from source pods to all destinations selected by policy name: simple-egress-pr namespace nsA\" --dport 34000:35000 -m mark --mark 0x10000/0x10000 -j RETURN \n",
 		},
+		{
+			name: "Simple SCTP Egress Destination Port",
+			netpol: tNetpol{name: "sctp-egress", namespace: "nsA",
+				podSelector: metav1.LabelSelector{
+					MatchExpressions: []metav1.LabelSelectorRequirement{
+						{
+							Key:      "app",
+							Operator: "In",
+							Values:   []string{"a"},
+						},
+					},
+				},
+				egress: []netv1.NetworkPolicyEgressRule{
+					{
+						Ports: []netv1.NetworkPolicyPort{
+							{
+								Protocol: &sctpProto,
+								Port:     &sctpPort,
+							},
+						},
+					},
+				},
+			},
+			expectedRule: "-A KUBE-NWPLCY-HHGHJNRMJN6UUDNA -m comment --comment \"rule to ACCEPT traffic from source pods to all destinations selected by policy name: sctp-egress namespace nsA\" -p SCTP --dport 36000 -j MARK --set-xmark 0x10000/0x10000 \n" +
+				"-A KUBE-NWPLCY-HHGHJNRMJN6UUDNA -m comment --comment \"rule to ACCEPT traffic from source pods to all destinations selected by policy name: sctp-egress namespace nsA\" -p SCTP --dport 36000 -m mark --mark 0x10000/0x10000 -j RETURN \n",
+		},
+		{
+			name: "Simple SCTP Ingress Destination Port",
+			netpol: tNetpol{name: "sctp-ingress", namespace: "nsA",
+				podSelector: metav1.LabelSelector{
+					MatchExpressions: []metav1.LabelSelectorRequirement{
+						{
+							Key:      "app",
+							Operator: "In",
+							Values:   []string{"a"},
+						},
+					},
+				},
+				ingress: []netv1.NetworkPolicyIngressRule{
+					{
+						Ports: []netv1.NetworkPolicyPort{
+							{
+								Protocol: &sctpProto,
+								Port:     &sctpPort,
+							},
+						},
+					},
+				},
+			},
+			expectedRule: "-A KUBE-NWPLCY-BHQGYKZ6X5RBPUOB -m comment --comment \"rule to ACCEPT traffic from all sources to dest pods selected by policy name: sctp-ingress namespace nsA\" -p SCTP --dport 36000 -j MARK --set-xmark 0x10000/0x10000 \n" +
+				"-A KUBE-NWPLCY-BHQGYKZ6X5RBPUOB -m comment --comment \"rule to ACCEPT traffic from all sources to dest pods selected by policy name: sctp-ingress namespace nsA\" -p SCTP --dport 36000 -m mark --mark 0x10000/0x10000 -j RETURN \n",
+		},
 		{
 			name: "Port > EndPort (invalid condition, should drop endport)",
 			netpol: tNetpol{name: "invalid-endport", namespace: "nsA",
diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
@@ -102,6 +102,7 @@ const (
 
 	tcpProtocol         = "tcp"
 	udpProtocol         = "udp"
+	sctpProtocol        = "sctp"
 	noneProtocol        = "none"
 	tunnelInterfaceType = "tunnel"
 
@@ -705,7 +706,11 @@ func (nsc *NetworkServicesController) syncIpvsFirewall() error {
 
 		serviceIPsSets[family] = append(serviceIPsSets[family], []string{address.String(), utils.OptionTimeout, "0"})
 
-		ipvsAddressWithPort := fmt.Sprintf("%s,%s:%d", address, protocol, port)
+		ipsetProto := protocol
+		if protocol == sctpProtocol {
+			ipsetProto = strconv.FormatUint(uint64(convertSvcProtoToSysCallProto(protocol)), 10)
+		}
+		ipvsAddressWithPort := fmt.Sprintf("%s,%s:%d", address, ipsetProto, port)
 		serviceIPPortsIPSets[family] = append(serviceIPPortsIPSets[family],
 			[]string{ipvsAddressWithPort, utils.OptionTimeout, "0"})
 
diff --git a/pkg/controllers/proxy/service_endpoints_sync.go b/pkg/controllers/proxy/service_endpoints_sync.go
@@ -746,7 +746,7 @@ func (nsc *NetworkServicesController) cleanupStaleIPVSConfig(activeServiceEndpoi
 	var protocol string
 	for _, ipvsSvc := range ipvsSvcs {
 		// Note that this isn't all that safe of an assumption because FWMark services have a completely different
-		// protocol. So do SCTP services. However, we don't deal with SCTP in kube-router and FWMark is handled below.
+		// protocol, which is handled below.
 		protocol = convertSysCallProtoToSvcProto(ipvsSvc.Protocol)
 		// FWMark services by definition don't have a protocol, so we exclude those from the conditional so that they
 		// can be cleaned up correctly.
diff --git a/pkg/controllers/proxy/utils.go b/pkg/controllers/proxy/utils.go
@@ -220,6 +220,8 @@ func convertSvcProtoToSysCallProto(svcProtocol string) uint16 {
 		return syscall.IPPROTO_TCP
 	case udpProtocol:
 		return syscall.IPPROTO_UDP
+	case sctpProtocol:
+		return syscall.IPPROTO_SCTP
 	default:
 		return syscall.IPPROTO_NONE
 	}
@@ -233,6 +235,8 @@ func convertSysCallProtoToSvcProto(sysProtocol uint16) string {
 		return tcpProtocol
 	case syscall.IPPROTO_UDP:
 		return udpProtocol
+	case syscall.IPPROTO_SCTP:
+		return sctpProtocol
 	default:
 		return noneProtocol
 	}
